Disclosure of patient blood results without consent

Estimated read time: 3 min read
Dr Blesset Nkambule, Medicolegal Consultant at Medical Protection, explores a case of patient data disclosure via WhatsApp and outlines key steps for ensuring consent, protecting confidentiality and managing complaints effectively.

The case 

Dr X, a GP in private practice, inadvertently disclosed a patient’s blood results to a third party (the patient’s employer) via WhatsApp using contact details provided by the patient when they registered with the practice. The patient claimed they had not consented to receiving personal information via this method or to this contact number, leading to a data breach and patient distress. 

Background 

  • Patient J registered with the practice and provided a mobile telephone number for ‘contact’ purposes. 
  • Dr X sent Patient J’s blood results to the number provided without consent for disclosure on that number. 
  • The number belonged to Patient J’s employer, who was not authorised to receive Patient J’s results. 
  • Patient J was upset upon learning of the breach and complained to the practice. After an unfortunate exchange of words with the receptionist, they left a message asking to speak to Dr X or threatening that they ‘will take this further’ 

How Medical Protection assisted 

Dr X contacted Medical Protection and requested assistance with managing the patient complaint and the breach of patient confidential information. 

Medical Protection advised Dr X to contact Patient J, acknowledge the complaint, apologise and initiate an internal review.

Medical Protection also advised Dr X to send a message to the unauthorised third party advising them to delete and not further disseminate the personal information they had received in error.

The breach was investigated by Dr X, and it was found that despite the contact information being correct and had been provided by Patient J, they had not consented to their personal medical information being sent to that particular contact number or for information to be shared via WhatsApp. 

Dr X was advised to communicate the outcome of the internal review to Patient J and ensure that the data breach incident, along with measures taken and proposed to address the security compromise, was duly reported to the Information Regulator. 

Patient J accepted Dr X’s response and commended the proactive manner in which the complaint and the data breach had been handled. They decided not to escalate the matter further. 

Learning points 

This case highlights the importance of confirming patient consent for communication of personal medical information to protect confidentiality and to comply with POPIA and HPCSA guidelines. Non-compliance can lead to HPCSA complaints, while findings made by the Information Regulator can attract sanctions of up to ten years' imprisonment or a fine of up to R10 million for serious offences. Some data subjects may choose to lodge a civil claim for damages. It also demonstrates the importance of handling patient complaints appropriately in the first instance to avoid escalation to further legal action. 

  • Managing patient complaints 

Develop a clear process for managing patient complaints, including acknowledgement, investigation and response. This will help to ensure the complaint is acknowledged and investigated promptly. Respond to the complainant empathetically, and document the process and actions taken. 

  • Confirm consent for communication and verify contact details 

Before sending personal medical information, confirm the preferred contact details with patients and whether they consent to receiving it via the proposed platform i.e. email, WhatsApp, etc. These details should be reconfirmed periodically to avoid error. Patient registration forms could also be updated to include explicit consent for communication methods, and staff should be trained on verifying patient consent before disclosure of personal information. 

  • Informed consent for disclosure to third parties 

Ensure patients understand how the contact information they provide will be used and at each instance obtain consent from the patient on which third parties you may disclose their personal medical information to.

  • Data breach protocols 

Follow practice protocols for reporting and managing data breaches promptly. These should be in line with Protection of Personal Information Act (POPIA) and Booklet 5 of the HPCSA ethical guidelines for Confidentiality: Protecting and Providing Information. Review and update data breach response protocols regularly.